On Friday, May 12, 2017, a massive ransomware attack swept across the globe. As of the date of this post, the attack reportedly had infected more than 100,000 organizations in 150 countries. The attack continues to propagate in different and more malicious forms and it is likely some of our clients have been impacted.
This malware, called “WannaCry,” locks out users and threatens to destroy data unless the victim pays a ransom to decrypt the data. The initial ransom demand was $300, to be paid in Bitcoin, and it is reported that the demand is increasing. It is unclear whether the ransom payment will buy the freedom of a single computer or an entire network. If the former, the attack may prove very expensive if companies agree to pay the ransom.
Impacted companies should immediately review their cyber insurance policy if they have purchased one. Many cyber policies offer ransom or extortion coverage, which includes the cost of the ransom payment. Cyber policies also typically provide coverage for the cost of investigating and responding to a ransomware attack and for lost business income arising from the attack.
Timing is very important. Most cyber insurance policies provide coverage only for costs incurred after the insured notifies the insurance company. Therefore, the costs that businesses are incurring this weekend to respond to the WannaCry attack, including ransom payments, will not be covered unless the business provides notice to the insurance company prior to incurring the payment. Some policies also require that the policyholder inform the applicable law enforcement agency and obtain the insurer’s consent before making any ransom payment. Therefore, despite the urge to move swiftly in response to this crisis, we recommend policyholders understand and comply with the notice provisions of their policies to insure they preserve their right to insurance coverage.
In addition to these insurance considerations, there are a number of critical decision points facing affected companies right now, including whether to pay the ransom, how to comprehensively assess and remediate any damage done, which other parties to include in this process, and what actions may need to be taken to comply with applicable law. Actions that companies take today may have lasting consequences long into the future.
Please contact us if we can assist in responding to these malware attacks.